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The  United  States  continues  to  experience  a  phenomenal  growth  in  the  Internet  combined  with 
an  increased  dependence  upon  the  automated  systems  within  its  information  infrastructure. 

This  tremendous  growth  is  accompanied  with  a  commensurate  increase  in  cyber  attack  and 
crime.  Both  nonstate  and  state  sponsored  enemies  are  becoming  more  organized  and  talented, 
and  experts  view  the  greatest  dangers  in  cyberspace  as  villains  lying  in  wait,  withholding  full- 
fledged  cyber  attack  until  the  opportunity  for  sufficient  strategic  advantage  presents  itself.  The 
United  States’  current  security  policies  and  strategies  depend  upon  voluntary  adherence  to 
government  recommendations  with  few  regulations,  standards  or  financial  incentives  to  gain 
private  sector  support.  The  potential  losses  associated  with  failing  to  secure  cyberspace  are  too 
high.  This  paper  provides  an  assessment  of  national  efforts  to  secure  cyberspace  and  puts 
forward  recommendations  to  strengthen  this  critical  national  infrastructure.  The  United  States 
must  reassess  its  national  strategies  and  with  practical  incentives,  enforce  stronger  measures  to 
secure  its  information  infrastructures.  Otherwise,  the  nation  will  face  unforeseen,  potentially 
catastrophic  consequences. 
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OUR  NATIONAL  INFORMATION  INFRASTRUCTURE;  AN  IMMEDIATE  STRATEGIC  CONCERN  IN 

NATIONAL  SECURITY  POLICY 


In  the  past  few  years,  threats  to  cyberspace  have  risen  dramatically.  The  policy 
of  the  United  States  is  to  protect  against  debilitating  disruption  of  the  operation  of 
information  systems  for  critical  infrastructures  and,  thereby,  help  to  protect  the 
people,  economy,  and  national  security  of  the  United  States. 

President  George  W.  Bush' 


INTRODUCTION 

Technology  advances  of  the  information  age  have  created  an  unimaginable  boom  in 
computing  and  a  tremendous  growth  in  the  networks  that  support  these  processes.  Countless 
national  systems,  both  in  civilian  and  government  sectors,  depend  upon  the  Internet  for  transfer 
of  information,  including  email,  e-commerce,  database  management  and  telemetry.  In  its  1997 
“Report  to  the  President’s  Commission  on  Critical  Infrastructure  Protection”,  the  Software 
Engineering  Institute  of  Carnegie  Mellon  University  described  the  integration  of  computers  into 
American  business  and  government  to  the  extent  that  “computer-related  risks  cannot  be 
separated  from  general  business,  health  and  privacy  risks’’.^  Updating  the  magnitude  of  this 
report,  the  Internet  Software  Consortium  estimates  the  number  of  users  on  the  Internet  in  2003 
as  171 ,638,297,  over  tenfold  growth  from  16,146,000  users  at  the  time  of  the  1997  Carnegie 
Mellon  publication.''  Clearly,  the  protection  of  our  national  information  infrastructure  presents  a 
vital  interest  to  our  national  security  and  this  critical  national  asset  depends  implicitly  upon  the 
rapidly  expanding,  increasingly  complex  Internet.  This  report  serves  to  examine  the  threat 
against  our  critical  infrastructure  and  our  national  actions  to  mitigate  our  risks  in  cyberspace. 

BACKGROUND 

While  arguably  one  of  the  prime  enablers  of  the  information  age,  the  Internet  also 
presents  the  greatest  vulnerability  to  the  protection  of  our  national  information  infrastructure. 
The  expansive  Internet  provides  both  tools  and  sanctuary  for  information  system  attackers  and 
intruders  (for  this  report  collectively  termed  “hackers”).  From  the  would-be  hacker  with  little 
computer  knowledge  to  state-sponsored  cyber  attack  organizations,  the  Internet  provides  the 
medium  to  exchange  illicit  software  and  knowledge  on  information  attack.  Also,  with  the 


connectivity  of  the  Internet  crossing  geographic  boundaries,  hackers  and  hacker  organizations 
find  refuge  from  detection  and  protection  from  prosecution  in  the  gray  area  of  internationai  and 
domestic  iaws.  In  illustration  of  this  digital  sanctuary,  an  amateur  hacker  caused  direct 
economic  damage  to  a  country  over  5000  miles  away  and  when  finally  discovered,  he  escaped 
prosecution.  In  this  case,  Israel  suffered  a  national  loss  of  $1 2  million  due  to  the  globally 
distributed  “Love”  virus,  yet  it  could  not  file  charges  against  the  originator  as  his  home  country, 
the  Philippines,  did  not  make  virus  writing  illegal  until  after  the  event.'*  This  case  illustrates  the 
sanctuary  of  the  Internet  as  well  as  the  pace  at  which  technology  has  outpaced  governments 
and  legal  systems.  The  same  attributes  that  enhanced  the  Internet's  original  purpose  of 
information  exchange  between  academics  and  government  research  agencies  have  provided  a 
rich  breeding  ground  for  information  attack. 

THE  THREAT  FROM  OUTSIDE  THE  WALLS 

In  1997,  the  President's  Commission  on  Critical  Infrastructure  Protection  (PCCIP) 
illustrated  the  prime  vulnerabilities  of  the  Internet  as  denial  of  service  attacks,  spoofing  and 
sniffers. 

•  Denial  of  service  attacks  overload  an  Internet  site  with  synchronization  requests 
and  thus  render  the  target  system  inoperative  and,  in  the  case  of  an  Internet 
Service  Provider  (ISP),  denies  information  service  to  all  connected  users. 

•  Spoofing  is  misrepresenting  one's  attacking  system  as  a  trusted  user,  either 
through  email  or  interactive  session,  to  gain  sensitive  information  or  illegal  system 
use. 

•  Sniffers  monitor  traffic  at  key  points  within  the  unsecured,  ubiquitous  Internet  and 
illicitly  retrieve  unlawful  data  such  as  sensitive  information,  user  ID's  and 
passwords. 

These  attacks  were  not  deemed  as  theoretical,  but  were  derived  from  actual  attacks  reported  to 
the  Computer  Emergency  Reaction  Team  (CERT)  Coordination  Center.® 

One  area  this  early  report  overlooked  was  the  Internet  phenomena  of  viruses.  Viruses 
are  malicious  code  hidden  within  a  seemingly  innocent  program,  normally  attached  as  an  email 
enclosure.  Once  an  unsuspecting  victim  executes  the  virus  code,  it  normally  distributes  itself  to 
other  potential  target  systems  (via  email  attachment)  and  oftentimes,  proceeds  to  destroy  stored 
data  on  its  current  host.  The  effect  of  this  type  of  virus  is  to  inflict  damage  on  the  user’s 
systems  and  of  larger  impact,  congest  the  Internet  and  Internet  servers  with  spurious  emails. 
More  dangerous  virus  variants  remain  hidden  within  the  users'  system  awaiting  directions  via 
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the  Internet  to  perform  malicious  functions  (known  as  Zombies)  or  siientiy  report  sensitive 
information,  such  as  passwords  and  bank  accounts,  to  distant  Internet  servers  (known  as 
Spyware).  Hackers  also  manually  plant  zombies  and  spyware  in  systems  that  are  not  properly 
secured  against  Internet  intrusion. 

Although  not  addressed  by  the  1997  Carnegie  Mellon  report,  the  largest  potential  for 
immediate,  broad  scale  cyber  attack  damage  to  the  United  States  lies  in  the  ability  to  hijack 
specialized  digital  devices  that  serve  as  the  brains  of  critical  industry  and  government 
operations.  These  devices,  called  Distributed  Controi  Systems  (DCS)  and  Supervisory 
Control  and  Data  Acquisition  (SCADA)  nodes,  perform  a  wide  variety  of  remotely  attended 
tasks  such  as  switching  electricity  within  power  grids,  throwing  railway  switches,  reconfiguring 
communications  networks  and  operating  valves  in  pipelines  that  carry  oil,  gas  and  water.  These 
devices,  if  controlled  by  our  enemies,  could  impact  all  aspects  of  national  life  through  countless 
means  including  shutting  down  power  girds,  stopping  air  and  rail  traffic  and  clogging 
communications  networks. 

When  corrupted,  DCS  and  SCADA  devices  can  produce  unimaginable  results,  as  was  the 
case  in  Queensland,  Australia  in  early  2000.  Vitek  Boden,  a  disgruntled  ex-employee  of  a 
telemetry  equipment  supplier,  commandeered  over  300  SCADA  nodes  belonging  to  the 
Maroochy  Shire,  Queenland  wastewater  system.  Using  a  stolen  laptop  computer  and  radio, 
Boden  dumped  hundreds  of  thousands  of  gallons  of  putrid  waste  into  his  surrounding 
community,  killing  marine  life,  contaminating  rivers,  and  disrupting  life  and  business  with  an 
“unbearable”  stench.  Although  it  was  his  46*'^  successful  intrusion,  Boden  was  arrested  only 
when  police  came  upon  his  suspicious  vehicle  parked  alongside  the  roadway.  By  remote 
control  from  his  pirate  command  center,  he  “could  have  done  anything  he  liked  to  the  fresh 
water”  according  to  Paul  Chisholm,  Chief  Executive  Officer,  Hunter  Watertech,  supplier  of 
telemetry  devices.® 

Boden’s  intent  was  to  gain  a  consulting  job  with  Maroochy  Shire  and  solve  their  “problem” 
of  leaking  wastewater.  He  established  criminal  control  over  the  300  SCADA  nodes  to  harass 
the  utility  service  for  his  economic  gain.  With  his  sporadic  attacks,  he  damaged  the  ecology  and 
hindered  business,  particularly  the  local  Hyatt  Regency  hotel.  It  is  important  to  realize  Boden's 
damage  was  limited  by  his  objective.  He  did  not  desire  to  destroy  the  community,  but  to 
manipulate  their  business  decisions.  If  Boden  had  been  a  terrorist,  he  could  have  caused 
tremendous  environmental  and  economic  damage  to  Maroochy  Shire,  whose  1 18,000  residents 
depend  upon  700,000  tourists  to  bring  $300  million  (Australian)  to  their  portion  of  Australia’s 
Sunshine  Coast.’’  If  he  had  been  a  terrorist  hijacking  SCADA  nodes  of  a  major  US  city,  the 
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results  could  have  easily  translated  into  a  national  emergency  of  containing  the  environmental 
Impact,  providing  fresh  water,  and  controlling  disease. 

The  value  of  DCS  and  SCADA  nodes  has  not  gone  unnoticed  by  our  adversaries.  Due  to 
recent  discoveries,  the  threat  capability  normally  attributed  to  state-sponsored  cyber  attack 
organizations,  such  as  China  and  Russia,  is  now  being  expanded  to  terrorists.  Recently  In 
Afghanistan,  US  forces  found  Al  Qaeda  laptops  with  evidence  of  research  of  digital  switches 
that  control  utilities,  system  cracking  tools,  scanners  for  security  flaws  and  computer  models  of 
a  dam.  More  startling,  they  found  software  used  In  predicting  “the  course  of  a  wall  of  water 
surging  downstream”.  Member  of  the  President’s  Commission  on  Critical  Infrastructure 
Protection  and  US  Intelligence  agencies  agree  that  we  have  underestimated  terrorist’s  interest 
in  cyber  attack,  yet  they  view  these  attacks  as  a  means  to  amplify  the  consequence  of  direct 
kinetic  attacks.® 

THE  THREAT  FROM  WITHIN 

The  threat  discussed  thus  far  has  been  focused  upon  external  Intruders  attacking  our 
Information  systems.  While  this  Is  a  formidable  threat.  It  Is  inevitable  that  we  will  experience  an 
attack  from  commercial  software  purchased  and  installed  by  ourselves.  Today’s  sophisticated 
commercial  computer  programs  require  millions  of  lines  of  source  code  and  serve  as  a  lucrative 
hiding  place  for  Trojan  Horse  routines.  A  Trojan  Horse  is  a  malicious  program  hidden  within  a 
legitimate  application  that  can  perform  any  of  the  variety  of  hacker  threats  discussed  earlier. 
Once  installed  on  a  computer,  the  system  considers  it  trusted  and  allows  the  infected  program 
to  execute  its  instructions.  It  is  important  to  realize  that  this  malicious  programming  can  impact 
the  software  function  of  traditional  computing  as  well  as  the  firmware  that  controls  the 
workhorse  computers  found  in  automobiles,  aircraft,  railroad  engines,  microwave  ovens, 
weapon  systems  and  thousands  of  other  automated  systems  found  in  every  day  life.  The 
Trojan  Horse  can  activate  based  upon  a  date  or  series  of  events  within  the  computer  system. 
More  flexible  and  attractive  to  the  hacker,  the  T rojan  Horse  can  serve  as  a  zombie  awaiting 
distant  commands,  as  a  backdoor  to  control  the  system  via  the  Internet  or  as  spyware,  reporting 
the  system’s  sensitive  information. 

The  likelihood  of  Trojan  Horse  routines  existing  within  commercial  software  is  extremely 
high.  Very  few  software  companies  require  background  investigations  on  information 
technology  (IT)  personnel  and  at  most,  they  perform  background  checks  by  reviewing 
references.  As  risky  as  this  may  seem,  the  latest  trend  of  offshore  outsourcing  of  software 
development  exponentially  increases  the  threat  and  raises  the  issue  of  a  trend  that  places  our 
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national  information  infrastructure  at  risk.  At  the  2003  Techno-Security  Conference,  users 
questioned  the  wisdom  of  offshore  software  development  by  cerperations  aiming  te  reap  the 
benefits  of  cheap  labor.  The  level  of  risk  and  outcome  of  this  risky  venture  is  criticized  as 
unknown.  Although  an  unevaluated  danger,  the  threat  is  clearly  present,  especially  when  the 
work  is  going  to  countries  such  as  China  with  its  extensive  technology  espionage  networks  and 
countries  in  Southeast  Asia  where  terrorist  networks  are  known  to  exist.® 

Fortune  500  companies  have  embraced  the  concept  ef  offshore  software  development 
with  heavy  investments.  For  example,  Adobe  spent  $50  mil  in  2001  to  expand  its  pregramming 
and  research  center  in  New  Delhi,  India.'®  The  reason  is  simple;  lewer  laber  costs.  To  highlight 
our  Adobe  example,  the  starting  salary  of  a  software  engineer  in  India  is  $5000;  while 
experienced  engineers  receive  $1 0000  and  top  IT  professionals  earn  approximately  $20,000. 
Meanwhile,  US  IT  jobs  are  down  20%  since  2000  and  senior  software  engineer  salaries  have 
fallen  from  $130,000  to  $100,000."  Business  is  shifting  its  productien  of  software  overseas  and 
views  this  change  as  a  survival  effert  in  a  tough  global  IT  market. 

While  the  meve  te  overseas  outsourcing  has  been  accelerated,  business  has  been  slow  to 
ensure  their  software  remains  trustworthy.  Companies  investing  in  effshore  software 
development  must  emplace  verification  and  auditing  systems,  yet  according  to  Tim  McKnight, 
Chief  Information  Assurance  Officer  at  Nerthrup  Grumman,  this  will  be  cestly.  Citing  his 
experience  at  Cisce  Systems,  he  stated  the  corporation  would  send  teams  overseas  to  monitor 
file  and  source  cede  servers  and  perform  risk  assessments.  Yet  through  all  the  efferts,  he 
claimed  it  was  “very  difficult  to  know  who  these  people  are.  It  can  be  done,  [but]  you  really  need 
buy-in  from  the  tep  of  the  corporation.”'®  In  Japan,  this  international  trend  is  focused  upon 
China  with  Japanese  blue  chip  ccrporation  investments  pushing  China  frem  the  “factory  to  the 
world”  to  the  “design  laboratory  of  the  world”.  This  effort  focuses  on  both  software  engineering 
and  chip  productien.'®  The  trend  for  offshore  software  development,  with  its  inherent  risk  to  our 
national  information  infrastructure,  is  an  increasing  international  business  trend,  yet  the  means 
to  perform  auditing  and  verification  is  almost  nonexistent. 

THE  HIDDEN  WAR 

In  recent  years,  the  vulnerabilities  of  the  Internet  have  translated  into  an  alarming  number 
of  attacks  on  our  national  information  infrastructure.  To  illustrate,  the  nation’s  power  grid  is  one 
critical  area  under  cyber  attack.  Since  the  widespread  acceptance  of  the  Internet,  power 
companies  have  embraced  the  advantage  of  remote  operation,  via  SCADA/DCS  nodes,  of 
equipment  spread  ever  large  distances.  In  the  spring  of  2001 ,  unknown  hackers  penetrated  and 
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gained  control  of  systems  within  California  Independent  System  Operator  (Cal-ISO),  the  state 
manager  of  long  distance  electricity  transmission.  Fortunately,  the  attacked  computer  systems 
were  confined  to  a  practice  network  disconnected  from  the  power  grid  that  controls  much  of  the 
Western  US,  yet  it  served  as  the  first  publicly  acknowledged  cyber  attack  to  gain  control  of  part 
of  our  national  infrastructure.^''  The  alarming  point  of  this  1 7-day  intrusion  into  California’s 
electricity  control  systems  is  that  it  appears  the  hackers  were  of  Chinese  origin,  linked  to  the 
Honkers  Union  of  China  (HUC).  “Honker”  is  the  Chinese  derivative  of  the  work  hacker.  During 
the  same  period  of  the  intrusion,  HUC  defaced  CAL-ISO  websites  with  Chinese  flags, 
statements  decrying  US  imperialism  and  pictures  of  the  Wang  Wei,  the  Chinese  F-8  fighter  pilot 
who  collided  with  a  US  spy  plane  on  April  1  ®*,  2001 .  Yet,  as  is  often  the  case  in  computer 
attack,  it  is  extremely  difficult  to  conclusively  identify  the  assailants.'® 

Many  of  the  attacks  on  our  systems  appear  to  be  well  organized  and  well  concealed.  In 
the  six  months  following  the  World  Trade  Center  attack,  security  companies  logged  129,000 
intrusions  targeted  against  the  nation’s  power  grid,  many  of  which  appeared  to  be  sponsored  by 
governments  or  organizations  in  the  Middle  East.'®  Last  year,  U.S.  intelligence  officials 
discovered  an  Al  Qaeda  safe  house  in  Pakistan  devoted  to  training  hacker  skills  and  cyber 
warfare,  termed  a  “cyber  academy”.  During  the  same  period,  60  percent  of  power  and  energy 
companies  experienced  at  least  one  severe  cyber  attack  during  the  last  half  of  2002.'^  These 
cyber  attacks  are  difficult  to  assess  as  corporations  are  hesitant  to  admit  that  they  have  been 
successfully  attacked.  With  good  fortune,  none  of  these  attacks  proved  catastrophic,  yet  the 
events  clearly  illustrate  the  ongoing,  hidden  war  in  cyberspace  and  the  potential  for  greater 
exploitation  of  our  information  infrastructure  vulnerabilities. 

The  soldiers  in  this  hidden  war  fall  into  several  different  categories.  First,  there  are 
misguided  thrill  seekers,  termed  as  hackers,  crackers  and  phreakers  to  name  a  few,  who 
intrude  upon  or  disrupt  information  systems  to  gain  internal  satisfaction  or  external  recognition 
from  their  peers.  Using  a  Western  analogy  of  good  and  bad,  they  usually  split  into  two 
subcategories,  “white  hat”  and  “black  hat”  hackers,  and  can  also  qualify  as  “hacktivists”  or 
criminals,  as  discussed  below.  Second,  there  is  the  criminal  element  whose  intent  is  illicit  gain 
through  identity  theft,  mail  fraud  and  other  crimes.  Third,  there  are  politically  or  nationally 
inspired  activists,  sometimes  termed  hactivists,  that  attack  information  systems  for  ideological 
reasons.  An  example  of  this  is  the  Palestinian-lsraeli  cyber  war  of  2000.  This  series  of  cyber 
attacks  started  with  simple  web  site  defacements  and  then  quickly  escalated  into  a  “cyber  jihad” 
with  a  large  number  of  denial  of  service  attacks,  which  slowed  the  Middle  East’s  sparse  Internet 
infrastructure  and  damaged  E-business.'®  While  at  first  glance,  one  might  think  the  cyber 
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combatants  were  confined  to  Palestine  or  Israel,  yet  with  a  zeal  of  volunteerism  based  upon 
political  ideals,  volunteers  from  around  the  world  joined  the  fight.  This  made  the  Palestinian- 
Israeli  cyber  war  a  world  war  that  caused  damage  to  computer  systems  across  many  national 
boundaries.  Fourth,  there  are  nonstate  sponsored  hackers ,  previously  discussed  in  this 
report  as  terrorists.  As  another  example  of  nonstate  sponsored  actors,  Zapatista  guerillas  used 
the  Internet  to  disseminate  their  revolutionary  views  and  effectively  jam  Mexican  government 
web  sites.^®  In  the  case  of  terrorists,  it  is  commonly  believed  within  the  cyber  security 
community  that  full  scale,  nonstate  sponsored  cyber  attack  will  be  used  to  amplify  kinetic 
strikes.  Finally  and  potentially  most  dangerous,  state  sponsored  cyber  attack  organizations 
are  growing  in  strength.  Many  nations,  including  the  US,  have  developed  their  own  ability  to 
conduct  network  attack.  As  early  as  1999,  the  Chinese  Liberation  Army  Daily  published  that 
integrating  network  warfare  with  warfare  on  the  ground  was  essential  to  winning  future 
conflicts.^'’  While  many  believe  governments  may  have  secretly  supported  hacktivists,  state 
sponsored  cyber  attack  has  not  been  reported  and  confirmed  to  date.  This  is  due  to  the  secrecy 
surrounding  these  activities  and  more  importantly,  because  governments  withhold  their  full 
network  attack  capability  to  achieve  surprise  at  the  proper  strategic  moment.  Up  to  now,  there 
has  not  been  an  event  to  warrant  unbridled  network  attack. 

THE  RESPONSE 

The  United  States  has  been  slow  to  react  to  the  threat  described  by  the  1 997  Carnegie 
Mellon  report.  After  reviewing  this  report,  the  President’s  Commission  on  Critical  Infrastructure 
Protection  issued  a  report  in  October  1 997,  calling  for  “a  national  effort  to  assure  the  security  of 
the  United  States’  increasingly  vulnerable  and  interconnected  infrastructures”.^'  On  22  May 
1998,  President  Clinton  announced  Presidential  Decision  Directive  (PDD)  63,  which  focused 
upon  physical  and  cyber  attack.^^  PDD  63  set  a  goal  of  “reliable,  interconnected,  and  secure 
infrastructure  by  the  year  2003  and  significantly  increased  security  for  government  information 
systems  by  the  year  2000”.  More  challenging,  it  set  a  deadline  of  2003  to  build  the  capability  to 
protect  critical  infrastructures  from  intentional  act.^^  While  PDD  63  may  have  experienced  some 
success  within  the  government  sector,  it  has  failed  to  meet  its  private  sector  goals  as  the 
strategy  alone,  The  National  Strategy  to  Secure  Cyberspace,  was  not  published  until  February 
2003.'" 

The  National  Strategy  to  Secure  Cyberspace  serves  as  the  nation’s  plan  to  secure  our 
critical  information  infrastructures,  yet  this  strategy  has  received  tremendous  criticism  to  the 
extent  of  being  termed  “useless”.'®  The  main  criticism  of  the  strategy  is  that  it  lacks  any  means 
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of  enforcement  or  standardization.  The  strategy  emphasizes  recommendations  for  improving 
security  and  partnering  between  government,  the  private  sector  and  citizens,  yet  it  does  not  set 
standards  or  emplace  federal  regulations  to  protect  the  Internet.  The  administration  backed 
away  from  original  regulations,  such  as  requiring  free  security  software  with  home  Internet 
service  and  restricting  the  use  of  vulnerable  wireless  networks.  Critics  have  charged  that  these 
Initiatives  were  dropped  as  a  result  of  lobbying  from  technology  firms,  which  desired  to  avoid 
“potentially  costly  government  restrictions”.^®  Finally,  the  strategy  offers  no  incentives  for  the 
private  sector  to  Incur  the  cost  of  Internet  security.  Strategy  critics  strongly  argue  that  to 
convince  industry  to  secure  its  networks,  the  government  should  offer  tax  and  other  financial 
Incentlves.^^  The  strategy  falls  short  of  protecting  cyberspace  by  relying  upon  users  to  exercise 
more  responsibility  on  the  Internet  and  the  voluntary  adoption  of  costly  security  measures. 

A  review  of  the  National  Strategy  to  Secure  Cyberspace  reveals  varying  levels  of  strategy 
for  different  segments  of  our  society.  At  the  federal  level,  the  document  outlines  security 
improvements  to  the  US  government  information  infrastructure  that  are  tied  to  budget, 
delegated  to  action  agencies,  assessed  by  “red  teams”  and  periodically  reviewed  by  committee. 
Also,  clarifying  previous  positions,  the  document  states  that  the  US  response  to  cyber  attack  will 
not  be  limited  to  criminal  prosecution,  but  that  the  US  will  respond  in  an  “appropriate  manner.” 

At  the  state  and  local  government  level,  the  wording  becomes  less  direct  and  focuses  upon 
awareness  training  and  encouragement  to  develop  IT  security.  Finally,  when  discussing 
business  and  Individual  users,  the  strategy  emphasizes  Information  sharing,  coordination  and 
encouragement  of  the  private  sector  to  secure  our  information  infrastructure.^®  When  examining 
the  direction  for  the  three  major  groups  within  the  strategy,  the  document  provides  fairly  clear 
direction  for  the  federal  government  to  defend  its  critical  Infrastructure  while  almost  leaving 
state/local  governments  and  business/public  users  to  solve  the  security  of  cyberspace  on  their 
own.  For  this  reason,  the  plan  falls  short  of  a  national  strategy. 

In  1998  with  the  publication  of  FDD  63,  the  United  States  formally  recognized  the  critical 
need  for  securing  the  vulnerabilities  of  cyberspace  yet  its  actions  in  overall  security  policy  have 
not  matched  the  priority  of  protecting  this  vital  resource.  Condeleezza  Rice,  the  National 
Security  Advisor  has  stated  that  the  protection  of  critical  Infrastructures  Is  a  priority  national 
security  objective.  Yet  at  the  same  time,  the  latest  US  National  Security  Strategy  (NSS)  is  seen 
as  “devoid  of  any  information  infrastructure  issues’‘^®  and  the  National  Strategy  to  Secure 
Cyberspace  falls  far  short  of  providing  protection  of  our  critical  Information  assets.  Our  nation's 
security  policy  must  recognize  that  the  Internet,  with  its  global  networks  and  millions  of 


8 


computer  systems,  is  a  21®*  Century  battle  space  that  directly  threatens  eur  critical  informatien 
infrastructures  in  order  to  achieve  the  prierity  necessary  to  combat  this  looming  threat. 

The  response  ef  the  United  States  to  the  demenstrated  dangers  to  our  national 
information  infrastructure  has  been  one  of  moderately  proactive  measures  at  the  federal  level 
and  passive  measures  elsewhere.  Fer  state  and  local  governments,  as  well  as  the  general 
public  and  business,  the  natienal  strategy  encourages  actien  and  promotes  the  federal 
gevernment  as  an  example  for  others  te  follew.  This  mainly  passive  approach  however  seems 
to  apply  a  laissez  faire  methodology  to  the  critical  task  of  protecting  our  national  information 
infrastructure.  Applying  a  business  principle  to  a  national  security  issue,  the  defense  of  our 
information  systems  warrants  more  direct  actien  and  must  be  a  unified,  cross-secter  approach 
for  several  reasens.  First,  whether  public  or  private,  our  computer  systems  share  the  same 
Internet  for  the  transfer  of  data.  It  does  not  matter  if  yeur  lecal  area  networks  are  free  from 
attack  if  the  connecting  Internet  is  disabled  er  your  servers  are  bombarded  with  emails  frem 
infected  systems.  Secondly,  a  determined  adversary  will  exercise  an  asymmetric  apprcach  to 
attacking  the  US.  For  example,  if  federal  agencies  are  strong  in  cyber  defense,  our  adversaries 
will  attack  the  portion  of  national  infrastructure  that  is  susceptible  to  their  threat.  In  the  end,  all 
sectors  of  the  national  information  infrastructure  lose  in  a  catastrophic  attack.  Finally,  when 
faced  with  cestly  information  security  measures,  cempanies  and  individuals  have  demenstrated 
a  lax  attitude  towards  expending  resources  to  ensure  the  trustworthiness  and  reliability  of  their 
information  systems.  The  Gartner  Group  predicts  that  90%  of  cyber  attacks  through  2005  will 
occur  by  exploiting  known  security  flaws  for  which  there  are  known  preventive  measures.  This 
vulnerability  is  due  to  vendors  delivering  systems  with  security  features  disabled,  a  lack  of 
qualified  IT  security  personnel  and  a  lack  of  specificity  of  information  security  standards.**" 

When  faced  with  expenditures  to  improve  operations  or  improve  security,  management  has 
chosen  operatiens  where  the  benefits  are  more  readily  understood  and  achieved.  The  Natienal 
Strategy  to  Secure  Cyberspace  must  take  more  active  measures  to  protect  the  entire 
informatien  infrastructure  of  the  United  States. 

THE  WAY  AHEAD 

When  examining  the  issue  of  securing  the  natien’s  information  infrastructure,  there  is  a 
balance  ef  control  extending  frem  draconian  government  regulatien  to  totally  unregulated 
activity.  The  current  strategy  preactively  guides  the  activities  ef  the  federal  government  while, 
although  not  totally  unregulated,  allews  other  sectors  of  the  information  infrastructure  to 
determine  their  levels  of  security  based  upon  self-interest,  individual  respensibility  and 
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organizational  needs.  Cumbersome  and  disjointed,  this  strategy  will  prove  difficult  to  achieve 
the  goal  of  infrastructure  protection  since  the  national  information  infrastructure  is  only  as  strong 
as  the  sum  of  its  components  and  the  competitive  private  sector  has  proven  itself  slow  in 
correcting  its  vulnerabilities.  Due  to  the  nature  of  the  Internet  and  information  systems,  the 
actions  or  inactions  of  any  sector  can  adversely  impact  other  members  of  the  network. 
Therefore,  the  national  strategy  must  be  strengthened  and  provide  clearer  direction  to  protect 
our  infrastructure  from  adversary  attack. 

Richard  Clarke,  former  Cyber  Security  Director,  countered  critics  of  the  newly  published 
National  Strategy  for  Securing  Cyberspace  by  arguing  that  cyber  security  is  so  complex  that  it 
defies  a  centralized,  regulatory  approach.®’  While  this  may  be  true,  there  are  strategies  that 
provide  dynamic  means  to  strengthen  the  nation’s  information  infrastructure  in  a  more  balanced 
manner.  Combined  with  awareness  of  the  threat,  private  and  government  sectors  will  respond 
to  forward-looking  laws,  incentives  and  realistic  appraisals  of  their  information  defense 
capabilities.  By  increasing  the  clarity  and  appeal  of  the  current  strategy,  the  US  can  preserve  its 
information  infrastructure  to  support  the  nation  in  times  of  peace  and  crisis. 

The  national  strategy  must  reexamine  the  nation’s  laws  concerning  cyber  security.  First, 
manufacturers  and  vendors  must  realize  liability  for  the  trustworthiness  of  their  systems  and 
software.  Whether  produced  domestically  or  by  offshore  outsourcing,  manufacturers  must 
emplace  reasonable  verification,  validation  and  standards  for  safeguarding  software  from 
security  flaws.  Therefore,  the  Department  of  Homeland  Security,  through  the  President’s 
Commission  on  Critical  Infrastructure  Protection,  should  lead  a  consortium  of  government  and 
private  sector  members  to  establish  reasonable  practices  for  production  of  IT  components.  With 
a  foundation  of  production  standards  of  trustworthiness,  manufacturers  would  then  be  liable  for 
failure  to  ensure  IT  integrity.  Second,  the  nation  must  update  its  laws  to  match  the  severity  of 
damage  related  to  hacker  activity.  When  four  viruses  can  cost  the  nation  $1 2  billion  and  one 
virus  alone  can  shut  down  350,000  servers®®,  hackers  can  no  longer  be  viewed  as  harmless, 
misdirected  nonconformists.  Their  actions  are  deliberate,  premeditated  and  they  must  be 
prosecuted  in  the  manner  commensurate  to  that  of  a  federal  felon  or  terrorist.  Finally,  the  US 
must  continue  its  efforts  to  update  international  law  to  match  the  modern  challenges  of  cyber 
security. 

The  federal  government  should  provide  incentives  to  private  and  government  sectors  to 
promptly  upgrade  their  cyberspace  security.  For  business,  the  US  government  should  provide 
tax  incentives  for  procurement  of  security  measures  and  the  production  of  security-conscious 
technology.  Currently,  business  views  IT  expenditures  as  competition  for  operational  resources. 
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Along  with  awareness,  carefully  crafted  tax  incentives  can  stimulate  business  to  emplace 
cyberspace  security  measures  and  produce  attack  resistant  information  technology.  With 
liability  for  failure  and  incentives  for  success,  security  investments  can  successfully  compete  in 
the  boardrooms  of  corporate  America.  For  individuals,  the  government  implemented  a  limited 
program  of  “cybercops”  or  scholarships  for  IT  personnel  to  support  the  national  cyberspace 
strategy.®^  This  action  should  be  continued  and  at  the  same  time,  expanded  to  support  student 
loans  for  technology  degrees  focused  upon  information  security.  These  graduates  would  then 
be  used  to  fill  the  shortages  of  IT  security  personnel  within  the  business  sector.  Also,  the 
government  must  require  that  Internet  Service  Providers  (ISP)  provide  basic  security  tools  and 
safeguards  to  its  customers.  This  makes  sense  for  their  business  interests  and  strengthens  the 
posture  of  our  national  networks.  Finally,  federal  standards,  backed  by  federal  incentives,  must 
regulate  IT  security  at  the  state  and  local  levels.  While  not  politically  favorable  at  first  glance, 
the  protection  of  our  information  infrastructure  is  only  accomplished  as  a  matter  of  national 
defense. 

The  National  Strategy  for  the  Security  of  Cyberspace  establishes  the  US  government  as 
the  role  model  for  others  to  follow;  yet  it  falls  short  of  formally  establishing  its  role  of  setting 
standards  for  IT  security.  Granted,  the  establishment  of  technology  standards  is  a  moving 
target  as  technology  evolves;  yet  private  business,  as  a  group  with  its  shortage  of  experienced 
personnel  and  multiple  focuses,  has  not  proven  itself  dynamic  enough  to  stay  abreast  of  current 
technology.  Therefore,  the  government  is  the  practical  choice  to  lead  a  consortium  of  private 
and  government  representatives  to  establish  common  standards  and  best  practices  for  the 
sound  implementation  of  IT  security. 

“Red  Teams”  refer  to  the  government  practice  of  testing  its  vulnerabilities  to  cyber  attack. 
Established  for  federal  agencies,  these  attacks  stress  and  validate  an  organization's  ability  to 
defend  its  information  assets.  As  the  security  of  our  information  infrastructure  affects  all 
citizens.  Red  Team  actions  should  be  expanded  to  all  sectors  of  the  US  portion  of  the  Internet. 
The  program  could  be  phased  in  as  a  voluntary  assessment  of  an  organization’s  information 
security  and  as  the  system  matures,  the  Red  Team  activities  could  randomly  examine  business, 
government  and  private  sector  networks  by  Internet  Protocol  (IP)  domains.  As  vulnerabilities 
are  determined,  Internet  service  providers  (ISP)  and  IT  departments  would  be  notified  of  their 
vulnerabilities  along  with  suggested  corrections.  Red  Team  activities  would  soon  become 
analogous  to  a  policeman  walking  his  beat,  checking  windows  and  doors  for  vulnerabilities. 

With  technology  advances,  many  of  the  Red  Team  activities  can  be  automated  to  save  costs. 


11 


Finally,  to  avoid  the  natural  resistance  to  “Big  Brother”,  Red  Team  procedures  would  have  to  be 
carefully  developed  to  safeguard  individual  privacy  and  property  rights. 

While  falling  short  of  strict  government  regulation  of  information  security,  these  forward 
looking  measures  provide  a  variety  of  incentives  and  standards  to  strongly  encourage  both 
private  and  government  sectors  to  strengthen  the  security  of  our  nation’s  cyberspace.  The 
security  of  our  national  information  infrastructure  is  critical  to  the  survival  and  operation  of  our 
nation.  Fortunately,  we  have  not  experienced  an  information  event  to  match  the  terrorist  attack 
of  September  1 1  *^.  Yet  should  we  continue  with  our  present  policy,  we  remain  vulnerable  in  this 
critical  infrastructure  area.  The  security  of  cyberspace  serves  as  an  infrastructure  protection 
that  enables  other  national  infrastructures.  The  priority  must  be  placed  upon  achieving  success 
within  this  complicated  battle  space.  The  US  must  immediately  strengthen  its  strategy  to  protect 
cyberspace  and  these  measures  represent  the  types  of  action,  short  of  strict  regulation,  that  will 
improve  our  ability  to  preserve  our  critical  resource  of  functional,  trustworthy  information 
infrastructure. 

CONCLUSION 

The  nation  continues  to  experience  a  phenomenal  growth  in  the  Internet  accompanied 
with  an  exponential  increase  in  our  vulnerability  of  cyber  attack.  Our  daily  enemies  are 
becoming  more  organized  and  talented,  yet  experts  view  the  greatest  dangers  in  cyberspace  as 
villains  lying  in  wait:  state-sponsored  organizations  withholding  full-fledged  cyber  attack  until  the 
opportunity  for  sufficient  strategic  advantage  presents  itself.®''  Amongst  so  many  potential 
threats,  the  United  States’  current  cyberspace  security  strategies  remain  dependent  upon 
voluntary  adherence  to  government  recommendations  with  few  regulations,  standards  or 
financial  incentives  to  gain  private  sector  or  state  and  local  government  support. 

The  United  States  must  reassess  its  national  strategies  and  with  practical  incentives, 
enforce  stronger  measures  to  secure  its  critical  information  infrastructures.  The  strategy  for 
reinforcing  the  security  of  cyberspace  need  not  be  accomplished  with  heavy-handed  regulation. 
As  a  balance  of  responsibility  and  incentives,  the  way  ahead  should  embrace  the  three  major 
areas  outlined  within  this  paper.  First,  on  the  legal  front,  companies  must  clearly  recognize  their 
liability  for  not  adhering  to  recognized  best  business  practices  for  ensuring  the  trustworthiness 
of  the  development,  operation  and  distribution  of  information  infrastructure  related  products  and 
services.  Along  the  same  vein,  the  government  must  update  its  laws  and  promote  standards  of 
international  law  commensurate  with  the  severity  of  cyber  crimes.  Second,  in  the  role  of 
leadership,  the  government  must  serve  as  both  the  role  model  and  leader  for  developing 
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standards  and  providing  business,  academic  and  tax  incentives  to  strengthen  cyber  security. 
Finaiiy,  the  strategy  must  expand  “red  team”  activities  into  the  new  frontier  of  probing  the 
nationai  information  infrastructure  for  weakness.  Once  discovered,  these  vuinerabiiities  wouid 
be  reported  to  the  susceptibie  organization  with  recommendations  for  correction.  With  a  strong 
proactive  strategy,  the  United  States  wiii  position  itseif  as  the  worid’s  ieader  in  securing 
cyberspace  and  serve  as  an  exampie  for  other  nations  to  foiiow. 

The  United  States  of  America  has  become  thoroughiy  dependent  upon  its  information 
infrastructure  and  supported  automated  systems.  Whiie  serving  as  a  prime  enabier  of  the 
information  age,  cyberspace  aiso  serves  as  the  “perfect  environment”  where  asymmetric  foes 
can  strike  “indirectiy,  invisibiy,  and  from  their  perspective,  undetected”. Viewing  the  threat,  the 
potentiai  iosses  associated  with  faiiure  to  secure  cyberspace  are  too  high.  If  we  continue  with 
partiai  soiutions,  the  nation  wiii  face  unforeseen,  potentiaiiy  catastrophic  consequences.  To 
maintain  a  strong  information  infrastructure  during  war,  peace  or  nationai  crisis,  our  nationai 
security  poiicy  must  reflect  the  incentives  and  guideiines  recommended  by  this  report. 
Strengthening  our  nationai  information  infrastructure  against  the  hidden  enemies  of  cyberspace 
is  a  compiex,  difficuit  task,  yet  with  strong  direction  and  partnership  across  aii  sectors,  the 
nation  can  confidentiy  buttress  itseif  against  the  iooming  vuinerabiiities  of  an  increasingiy  digitai 
worid. 
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